Support Center > Search Results > SecureKnowledge Details
Traffic does not pass over Site-to-Site VPN tunnel when choosing SHA-256 for IKE Phase 2 negotiation Technical Level
Symptoms
  • Site-to-Site VPN negotiation succeeds, however traffic does not flow over the tunnel.

  • The following log appear in SmartView Tracker (depending on the settings):

    • For the traffic that does not pass over the tunnel:

      Action = Drop
      Information = encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information


    • If using certificates:

      Action = Reject
      Reject Reason = Gateway to Gateway authentication failure
      Encryption Scheme = ... + SHA256, ...
      VPN Feature = IKE
      Information = IKE: Main Mode Cannot construct a valid certificate chain from peer certificates

      Followed by

      Action = Key Install
      Encryption Scheme = IKE
      VPN Feature = IKE
      Information = IKE: Main Mode Sent Notification to Peer: invalid certificate
  • Changing the Phase 2 properties of the VPN Community to perform data integrity with any method other than SHA-256 resolves the issue
    (SmartDashboard - go to 'IPSec VPN' tab - open problematic Site-to-Site Community - go to 'Encryption' - in the section 'Encryption Suite', select 'Custom' - click on 'Advanced...' - in the section 'IPsec Security Association (Phase 2) Properties', refer to the field 'Perform data integrity with').

  • Status of SecureXL (enabled/disabled) on VPN Gateways is not relevant.

Solution
Note: To view this solution you need to Sign In .